How can I span my LAN subnet over MPLS using two Watchguard firewalls?

Hi all,

We have a VMWare ESX 3.5 environment at head office with a DR server in a co-lo. We want to use Vizioncore vReplicator to backup servers to the co-lo. The two sites are connected via a 10Mb MPLS routed link and I need to extend my local subnet so that the DR server has an IP address on our subnet for vReplicator to work fully.

We have a Watchguard X750e at head office and was told by Watchguard that if we bought an X550e for the co-lo, the Watchguards could span the subnet over the MPLS.

Now (after we've puchased the unit) Watchguard are backtracking and referring this to the
US. A week and a half later and I still don't have an answer.

Does anyone know if this is possible? If not with Watchguards, is there any other hardware of software that will let me do this?

It's very frustrating as we've made a significant investment on Watchguard's advice, only for them to mess us about now we're ready to implement their solution.

Any advice, greatly appreciated.


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Just a few questions before we get started.
If I understand you correctly, you want to use the same ip range in your co-lo?
I presume your co-lo has already been set up with its own ip range or does it indeed have the same ip range as your HQ?
What is wrong with use aan routed subnet in your co-lo?
aimvicitAuthor Commented:

You assume correct, the DR server needs to be on the same subnet as head office. vReplicator ideally needs to be configured with production and DR on the same subnet so you can fail-over to VM's in the DR without any issues with DNS trying to update over two subnets. For example, our Exchange server VM dies and we bring the DR VM up and in recommended configuration this would have the same name and IP. It is possible for it to just have the same name on a different IP, but not recommended for DNS reasons.  

A bridge would be ideal, but don't think the ISP can do it.

Thanks again.
I do not think that WG would route MPLS over VPN; if you have pure IP traffic then we can create a VPN tunnel between two endpoints with same IP subnet by configuring NAT over IPSec.

Can you advice if you do not do MPLS; and just configure simple VPN tunnel between the end points with NAT over IPSec so same subnet is not a problem, would this solution work for your or not.

Thank you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Your wish includes APR broadcasts for the same ip to work after a failover. I think your better of with a good configured dns. For the DNS ussue you could think of very low TTL values.
aimvicitAuthor Commented:
Hi, are you suggesting using a different subnet with same DNS names? If so, that is a possible scenrio but not one Vizioncore recommend.

If I understand correctly the MPLS is probably handled at both ends by a managed router from your ISP - is that the case? If so is the 550e in front of the managed router at the co-lo or is it the other way around?
aimvicitAuthor Commented:
Yes correct, the 550e will be in front of the managed router at the co-lo.
Ok. If your Exchange server goes down and the backup server has to come online, will it be sending mail over the MPLS through the main office's internet connection or does it access the internet from the co-lo?
aimvicitAuthor Commented:
We would expect it to get email through the main office connection. We would only ever enable the internet access at the co-lo if we lost the main site (e.g. fire).

Ok. You don't need the 550e to expand your subnet to the co-lo. You can just configure the server with the correct IP address. If you can't - then you need to escalate a ticket with your ISP to reconfigure your managed router at your co-lo.

I have a similar setup with WG 550e at corporate office and MPLS running to satellite office. Server @ satellite office connects to managed router and is setup on 192.168.10 subnet whereas corp office is 192.168.1 subnet. So it's a little but different - but I can't imagine that I could not just rename the server ip to and it would not work just the same.

If it doesnt, like i said, then there is a setting in the managed router that connects the two subnets and this would need to be changed by the ISP - I am not 100% on this part though b/c I didn't implement it.

I would get that working first then add the 550e back into the mix for your failover internet solution. I am pretty sure your internet and MPLS bandwidth are going to come into the co-lo on separate circuits, one of which would be connected to the 550e and one of which will connect to your managed router - then both of those would run into your switch, and then your server.

I don't think in any of this you need to configure the 550e to expand the subnet from the head office.

Let me know how it goes hope this helps.

 - Bob
But if your MPLS and internet at main office are the same provider chances of MPLS being up when internet is down are slim - so you might not need 550e at all.
Im indeed suggesting different subnet (which it already has) and you let de server register itself with dns, overwriting the current offline servers ip address with its own. I presume the server at the co-lo is truned off...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.